Government seeks input on supply chain security

The government has unveiled new proposals to help UK businesses manage cyber security in their digital and third-party IT services supply chains, as a growing body of evidence suggests that the risks to business continuity are hitting unprecedented heights.

With supply chains demonstrably threatened through high-profile cyber attacks – a recent spate of incidents sparked through breaches of Accellion and Codecov products and, arguably, the SolarWinds incident – the Department for Digital, Culture, Media and Sport (DCMS) is calling for views on several measures to enhance supply chain security.

Recent research conducted by the department suggests that only 12% of UK organisations routinely review the cyber risks from their immediate suppliers, and only 5% address the vulnerabilities in their wider supply chain.

“There is a long history of outsourcing of critical services,” said digital infrastructure minister Matt Warman. “We have seen attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider. It is essential that organisations take steps to secure their mission-critical supply chains – and remember they cannot outsource risk.

“Firms should follow free government advice on offer. They must take steps to protect themselves against vulnerabilities and we need to ensure third-party kit and services are as secure as possible. We’re seeking views from firms that both procure and provide digital services, as a first step in considering whether we need updated guidance or strengthened rules.”

To this end, the Call for Views on Supply Chain Cyber Security, which will run until 11 July 2021, is seeking views both on existing guidance for supply chain risk management – the National Cyber Security Centre (NCSC) provides advice on supply chain security and supplier assurance – as well as binding managed service providers and other tech suppliers to the 14 Cyber Assessment Framework principles.

This framework includes several measures that organisations should take, including implementing policies to protect devices and stop unauthorised access, ensuring data is protected at rest and in transit, maintaining secure and accessible backups, and training staff in a positive cyber security culture.

DCMS is also seeking feedback on examples of where supplier risk management has been done right, building on the NCSC’s advice.

The department’s announcement comes hot on the heels of last week’s US presidential executive order, signed by Joe Biden, which contains similarly far-reaching proposals around securing the IT supply chain, including tighter standards for the development of software bought by the US government, and establishes a security hygiene “star rating” for software solutions.

The US government was hit particularly hard by attacks conducted through compromised instances of SolarWinds’ Orion network management platform at the end of 2020, which also had some limited spill-over into UK organisations.